Cisco Cisco TelePresence Video Communication Server Expressway
Certificate generation process using OpenSSL
Cisco VCS Deployment Guide: Certificate creation and use with Cisco VCS
Page 12 of 33
The
privatekey.pem
file will be used to create the certificate request and will also be required for
loading into the VCS. The file is created in the directory that the
openssl
command is run from.
5. Generate a certificate request by running the following command:
openssl req –new –key privatekey.pem –config openssl_vcs.cfg –out certcsr.pem
-outform PEM
-outform PEM
6. Enter the data requested, including:
•
Country
•
State or province
•
Locality name
•
Organization name
•
Organizational unit
•
Common name – this is the VCS cluster FQDN if the certificate is for a cluster of VCSs or it is
the FQDN of the VCS if the certificate is for a single VCS
the FQDN of the VCS if the certificate is for a single VCS
•
Email address – optional, can leave blank
•
A challenge password – optional, can leave blank
•
An optional company name – optional, can leave blank
After entering the requested data, the operation completes and the certificate request file
certcsr.pem
is now available.
This certificate request file can be passed to an internal or third-party Certificate Authority for
generating the X.509 certificate. OpenSSL can be used to operate a private CA, and this process is
documented in the following section.
generating the X.509 certificate. OpenSSL can be used to operate a private CA, and this process is
documented in the following section.
Operating as a Certificate Authority using OpenSSL
A major deployment will likely make use of a third-party certificate authority, or already have one
internal to an organization’s IT department; it is possible to use OpenSSL to manage certificates in a
private certificate authority. This process is outlined below.
internal to an organization’s IT department; it is possible to use OpenSSL to manage certificates in a
private certificate authority. This process is outlined below.
Configuring OpenSSL to act as a CA
OpenSSL is powerful software, and when operating as a CA, requires a number of directories and
databases to be configured for tracking issued certificates.
databases to be configured for tracking issued certificates.
The list of directories and files can be found in the openssl configuration file under the section
[
CA_default ].
By default, the three files/directories required to be created are:
A
demoCA
directory in the current directory.
An empty file called
index.txt
in the demoCA directory.
A file called
serial
in the demoCA directory, storing the current serial number of an issued
certificate. This should contain a 4-digit hexadecimal number, such as “1000”.
Create a Certificate Authority using OpenSSL
This process will create a private key and certificate of a Certificate Authority (CA), which can then be
used to validate other certificates. Note that this will not be trusted by devices outside of those on
which it is explicitly installed.
used to validate other certificates. Note that this will not be trusted by devices outside of those on
which it is explicitly installed.
From a command prompt:
1. For Windows: change to the directory where OpenSSL is installed (typically a ‘bin’ directory)
For Mac OS X: stay in the root of the user’s directory.
2. Generate a private key for the CA by running the following command:
openssl genrsa –des3 -out ca.key 2048